Skip to content

[Doc] Runtime fields and Grok - additional example and Grok pickiness #73262

New issue
New issue
Closed
#73118
Closed
[Doc] Runtime fields and Grok - additional example and Grok pickiness#73262
#73118
Assignees
lockewritesdocs
Labels
:Search/SearchSearch-related issues that do not fall into other categories>docsGeneral docs changesTeam:DocsMeta label for docs teamTeam:SearchMeta label for search team
@toby-sutor

Description

@toby-sutor
toby-sutor
opened on May 20, 2021

At https://www.elastic.co/guide/en/elasticsearch/reference/master/runtime-examples.html#runtime-examples-grok we are documenting how to use runtime fields in the mapping. Can we please also elaborate that this can be used in a search query. E.g.:

GET my-index/_search
{
  "runtime_mappings": {
    "clientip": {
      "type": "keyword",
      "script": {
        "source": """
        String clientip=grok('%{COMMONAPACHELOG}').extract(doc["message"]).value)?.clientip;
if (clientip != null) emit(clientip);
"""
      }
    }
}
}

In addition would it be worth to document that accessing tokenized values (neither keyword nor wildcard but text with fielddata) via .extract(params["_source"]["message"]) (instead of .extract(doc["message"])).

Finally, Grok seems to be more picky on the runtime fields compared to the Kibana Grok debugger - especially on the whitespaces. E.g.
Raw: "clientip = 127.0.0.1"
Kibana Grok debugger: clientip = %{COMMONAPACHELOG} - will match
Runtime Grok: grok("clientip = %{COMMONAPACHELOG}") - will not match and requires grok("clientip\\s=\\s%{COMMONAPACHELOG}") instead.

Ref. https://github.com/elastic/sdh-elasticsearch/issues/4361

Metadata

Metadata

Assignees

Labels

:Search/SearchSearch-related issues that do not fall into other categories>docsGeneral docs changesTeam:DocsMeta label for docs teamTeam:SearchMeta label for search team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions